Privacy Policy for Faktura

1. Data Controller

2. Information We Collect

Faktura plays two distinct roles when handling personal data, and the protections below apply to both.

3. Legal Basis for Processing

We process personal data on the following legal bases under Article 6 GDPR:

• Contract: to provide the Service you have subscribed to.
• Legal obligation: to comply with Luxembourg accounting, tax, and commercial record-keeping law, including the obligation to retain invoices for ten years.
• Legitimate interests: to secure the platform, prevent fraud, and improve our services in ways that do not override your rights.

4. Purpose of Processing

We use personal data to:

• Provide and operate the Faktura platform
• Generate, deliver, and archive invoices, quotes, and related documents
• Provide customer support
• Maintain accounting and tax records as required by law
• Detect and prevent fraud or abuse
• Communicate service notices and material changes to these terms

5. Data Retention

• Invoices and accounting data: retained for ten years from the end of the relevant accounting year, in compliance with Luxembourg accounting and tax law.
• Account data not subject to legal retention: deleted within ninety days of account closure, except where retention is required to defend legal claims or comply with another legal obligation.
• Support correspondence: retained for three years from the date of last contact.
• Backups: purged in accordance with our backup rotation, with a maximum lifespan of thirty-five days for routine backups.

Where you exercise the right to erasure under Article 17 GDPR, we will delete personal data we are not legally required to retain. Data subject to the ten-year accounting retention will be archived in restricted-access storage and deleted at the end of the legal retention period.

6. Data Sharing and Sub-processors

We do not sell personal data. We share personal data only with:

• Sub-processors that provide infrastructure services on our behalf, including hosting, transactional email delivery, and document parsing. We maintain a current list of sub-processors, available on request at support@faktura.lu.
• Authorities, where required by Luxembourg or applicable EU law, including in response to a valid order from the AED, the CNPD, or a competent court.

All sub-processors are bound by written agreements imposing data protection obligations equivalent to those set out in this Privacy Policy.

7. International Transfers

We do not currently transfer personal data outside the European Economic Area. All processing takes place on infrastructure located within the EU. If this changes, we will update this Privacy Policy and rely on a valid transfer mechanism under Chapter V GDPR, such as Standard Contractual Clauses or an adequacy decision.

8. Security Measures

We apply technical and organisational measures appropriate to the sensitivity of the data we process, including:

• Encryption in transit using TLS 1.2 or above
• Encryption at rest for invoice archives
• Role-based access control and the principle of least privilege
• Regular backups with redundancy within the EU
• Logging and monitoring of access to production systems
• Security review of code before deployment

No system can be made perfectly secure, and we cannot guarantee absolute security; however, we work continuously to maintain a level of protection appropriate to the data we process.

9. Personal Data Breach Notification

In accordance with Articles 33 and 34 GDPR:

• Where a personal data breach affecting data for which we are the controller is likely to result in a risk to your rights and freedoms, we will notify the Luxembourg National Commission for Data Protection (CNPD) without undue delay and, where feasible, within seventy-two hours of becoming aware of the breach.
• Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, by email or another appropriate means, including the nature of the breach, its likely consequences, the measures taken or proposed in response, and a contact point for further information.
• Where Faktura acts as a processor on your behalf and a breach affects data we process for you, we will notify you (the controller) without undue delay so you may meet your own obligations under Article 33 GDPR.

10. Your Rights

Under GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Request erasure, subject to legal retention obligations
• Restrict processing
• Receive your data in a portable format
• Object to processing based on legitimate interests
• Withdraw consent where processing is based on consent
• Lodge a complaint with the CNPD

To exercise any of these rights, contact us at support@faktura.lu. We will respond within one month of receipt, as required by Article 12 GDPR. Where requests are complex or numerous, we may extend this period by a further two months and will inform you of the extension.

11. Cookies

The Faktura website and platform use only strictly necessary cookies. These cookies are exempt from prior consent under Article 5(3) of the ePrivacy Directive (2002/58/EC), as they are necessary to deliver a service explicitly requested by you.

The categories used are:

• Authentication and session cookies, which maintain your logged-in state across pages.
• Security cookies, which protect against cross-site request forgery and similar attacks.
• Preference cookies, which remember your language selection across visits.

We do not currently use analytics, advertising, or third-party tracking cookies. If we introduce non-essential cookies in the future, we will request your consent through a cookie banner before they are set, and update this Privacy Policy accordingly.

12. Supervisory Authority

You have the right to lodge a complaint with the Luxembourg National Commission for Data Protection (CNPD):

13. Children's Privacy

Faktura is a B2B platform intended for businesses and self-employed professionals. The Service is not directed to children. We do not knowingly collect personal data from individuals under sixteen, the digital-consent age under Luxembourg law.

14. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal obligations. Material changes will be notified by email and through the platform. Continued use of the Service after notification constitutes acceptance of the updated policy.